Print
Discuss
Send to friend
RSS feedsThe rash of recent scandals involving loss of records from both government departments and commercial organisations has led many to question just how seriously the security of sensitive data is being taken. One can easily imagine the pressure now being put on various public bodies to tighten up their procedures or else. But the incidents just keep coming and coming. One security web site, attrition.org, even keeps a list of major data exposure incidents, and it is a depressingly long one, at that.
Commentators have often focused blame on those individuals or employees that were handling the data when it was lost, such as the now infamous “junior official” blamed for sending out the UK’s entire child benefit records database on two CDs in an unregistered package last year. How could anyone be so stupid when handling such vital information, you might well ask.
But as IT Week pointed out at the time, these incidents reveal a systematic failure within some organisations to take security seriously and put appropriate measures in place. While it was phenomenally stupid to put sensitive personal information through the post, the question remains as to why a “junior official” was able to get unrestricted access to the entire data set in the first place, and why HM Revenue & Customs had not trained its staff in best practice when handling and processing such information.
With organisations now sensitised to the threat of data loss, there is perhaps a danger that there will be a backlash and that management will insist on a total clampdown on the movement of data and who has access. While this is right and proper in the HMRC case, where the information disclosed may expose millions of people to identity fraud, it would be a sad state of affairs if companies used this as an excuse not to allow employees to work from home, for example.
It’s not as if there aren’t tools on the market to secure data. Seagate’s hard drives with embedded encryption, for example, provide a reasonable level of protection against data on a laptop being exposed if it should be lost or stolen.
You could argue that encryption is still a bit of a black art especially where public key infrastructure (PKI) is concerned and that it is difficult to administer, but in a typical organisation, the number of staff that require such protection is likely to be relatively few.
And then there are tools that enable firms to enforce policy on removable storage, so that only authorised staff can copy files to USB Flash drives and the like. These products have been around for several years now, and are built into nearly every management suite of any significance, so why are they not used more widely by companies that could genuinely benefit from the technology?
This is only a guess, but I imagine that IT is often rather low on the list of priorities for departments like the HMRC, and proper security may have been seen as an expense they couldn’t afford. Sadly, as events such as the child benefit case and the more recent theft of a laptop stolen from the Ministry of Defence illustrate, harsh reality has a habit of proving otherwise.
Tags: Security
del.icio.us
Digg this
reddit!
